The CIS controls version 8.0 lists Inventory /Control of Enterprise Assets and Inventory/Control of Software Assets as its first and second control.
The first control details “actively [managing] (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing / Internet of things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of [the] assets that need to be monitored and protected within the enterprise.”
The second control details “actively [managing] (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can [be] executed”. Additionally, it notes ‘that unauthorized and unmanaged software is found and prevented from installation or execution.”
Importance of Asset Management to Cybersecurity
If you don’t know what you have, where your important data is housed, how it is backed up, and whom the users are accessing it, then it makes it challenging to protect it. It would be like an Airline not knowing where its aircraft were when they need to be maintained next, or its capacity for how much fuel it carries and how many passengers can fly in it. Asset management in the Cybersecurity framework is critical to mitigating risks within an organization.
Asset discovery and management are the foundation of a strong IT program. Asset management is about understanding all your assets and how they interoperate to reduce your cybersecurity exposure.
How Frequently Should I Check My Technology Assets?
The collection of Inventory should not be a once-a-year update of a spreadsheet, but an ongoing collection of assets and a monthly review to ensure they align with business policies. One recommendation is to capture alerts for any new assets that are discovered. It is recommended that alerts are captured for any new assets discovered. This allows for actions to be taken to evaluate if the asset is a security risk or if it poses a threat to the organization.
Some actions that can be taken include checking to see if it is required for the asset to be backed up, checking if the asset has the correct software loaded (Antivirus, Malware) and if the software is the approved version. Having continuous discovery of assets including classification and assessments will provide complete visibility into your environment and information on your attack surface.
Incorporating the software and hardware in an inventory list will allow you to stay current with compliance and governance requirements. It does this by alerting you on issues and ensuring you have a single source of truth.
Asset Management Resources
NIST Recommendations
NIST released detailed recommendations for IT Asset Management (NIST SP 11800-5b). It is a 237-page document that goes into detail about recommendations for implementing Asset Management in an Enterprise (including how-to guides). Although this may be more information than you require, it provides some great reference material.
Software Scanners
There are also software scanners that can scan your network and check logs for new additions to the network. It then probes devices for information on a regular basis. Implementing an automated system to manage your assets will minimize the time required to manually update the Asset Register. This will also ensure it is current and up to date when needed to be referenced for security purposes. Some even understand the relationships between assets and how they operate within your business. They also look for anomalies that are outside the normal interaction. A good example of this is a server that has a sensitive database on it that is normally accessed by three users. If a new machine comes online and accesses this database, an alert may be raised.
How to Protect My Assets?
We recommend to our clients that they have an asset and software inventory in place and include cloud-based software and virtual machines. Even if you start with something simple and build upon it. This will lay the groundwork for something that will be referenced often, and its value will be realized through the implementation of more advanced cybersecurity controls.
Need help with your asset management? Contact our team of experts today!
References
IT Asset Management (nist.gov)
CIS Critical Security Controls Version 8 (cisecurity.org)